Blog article
See all stories »

Gem of a Fraud: A classic example of operational risk

Indian banking system is reeling under a series of reported frauds in the last few weeks. The mother of all is the USD 1.7 billion at PNB (Punjab National Bank) which is amongst the top public sector banks.
Modus Operandi: An Indian bank (A) issues an LOU (Letter of undertaking) at the request of a corporate to a bank in a different country (B), guaranteeing a loan that (B) gives to a third party who is overseas. The third party generally is the beneficiary or the importer. The importer sells the goods and repays the loan.  LOUs as corporate lending product is a common practice by banks in India. As it is a high risk lending, LOUs are generally issued against collateral. Regulatory compliance requires the LOU cannot be issued for more than 90 days.
There was a change of guard at the forex business desk of PNB and a fresh request for an LOU was tabled by the corporate in question that enjoyed LOU financing. The new officer asked for 100% cash margin (collateral). The corporate stated that earlier LOUs were issued without any margin. The new officer checked the past records and found no record of LOUs. That opened the Pandora Box. In effect LOUs issued were not recorded in the Bank's books. As I write investigations are currently in progress.
Operational risk: This can be defined as, any loss caused by inadequate or failed internal processes, people, systems, or by external events. Basel II, lists out 7 types of such risks. Internal fraud, external fraud, employment practices and workplace safety, clients, products and business practice, damage to physical assets, business disruption and system failures, execution, delivery and process management.
What went wrong at PNB?

There were many failures in internal controls. I have listed the major ones here.   

1. All the years there was the same officer at the LOU desk
The Bank did have a procedure that required an officer to be transferred every 2 to 3 years. It is not known why the person was not shifted.
2. Direct access of SWIFT system
SWIFT provides a network that enables financial institutions worldwide to send and receive information about financial transactions in a secure, standardized and reliable environment. (
The officer gained direct access to SWIFT terminal to send the fraudulent LOUs. These transactions were not recorded in the Bank’s books. It is surprising that having straight through processing of SWIFT messages from the core banking system, any messages directly sent was not tracked as exceptions. An extension to this was modifying LOU amount in SWIFT terminal after being approved in the core banking system.
3. Unreconciled Nostro Accounts:
Nostro account refers to an account that a bank holds in a foreign currency in another bank.
The loans guaranteed pass through PNBs Nostro account. However this control failed as the accounts were not reconciled on a regular basis.
4. LOU reconciliation not done:
Banks are subject to audit by central bank, internal audit and audit by external firms. Normally they look for reconciliations and check a few selected randomly for assurance that the transactions are genuine. This appears not to be the case.
5. Sharing of passwords:
It is reported that the prime accused in the Bank shared the SWIFT password with the corporate.
It is still not clear how the overseas banks (Overseas branches of Indian banks) routinely lent money against LOUs without once doing a due diligence. More surprising is that these banks are audited as well by the local controllers and firms. There are no reports of anyone raising exceptions to such transactions.
Perhaps this will go down as a classic example of operational risk leading to credit risk. Similar to what Nick Leeson did for Barings decades ago. One man bringing down an established bank. PNB was founded in 1894.


Comments: (2)

Ketharaman Swaminathan
Ketharaman Swaminathan - GTM360 Marketing Solutions - Pune 22 February, 2018, 12:011 like 1 like

Great post. Has helped greatly in my understanding of the anatomy of PNB fraud. 

Would be great if you could share your thoughts on what's the most common combination of systems and workflow used by other banks to prevent even a single instance of this fraud from happening, let alone multiple instances over several years?

AFAIK, human users initiate payment transactions on core or other payment processing systems, after which the message is untouched by human hands as it is submitted automatically by those systems to the SWIFT Gateway system, which then sends it out to the SWIFT network. But, even in that workflow, I'm guessing sysadmins can still input a payment directly on the SWIFT Gateway. Sounds easy. But if it were really so easy in actual practice, the sky would've fallen long ago. Any idea how banks have prevented that from happening over their 30+ years of usage of SWIFT?

Vishwanath Thanalapatti
Vishwanath Thanalapatti - Temenos - Canada 22 February, 2018, 17:561 like 1 like

In my experience, frauds with the involvement of internal people occur due to non observance of procedures or processess. 4 eyed principle is the norm in banks. In some cases 6 eyes as well. In addition financial delegation of powers defines the contours of freedom to operate. Violation is the main reason. Software solutions are fine for routine and repetitive activities. Key decisions are taken by people. 

As a systems auditor, compromises occur primarily when passwords are shared, physical and logical access controls not enforced etc. From business perspective, rotation of people across branches or across different departments is a norm. Exception reporting is a control each bank has. 

Large branches have a full time concurrent auditor. In addition audits happen regularly. Could be internal, external or by controllers. There are SLAs for rectifying adverse comments. The current auditor, always refers to the previous audit report as a start point. 

It is still a practice to record all incoming and outgoing swift messages. Hard copies are acknowledged by department heads and retained in appropriate files. The sequence numbers are tracked meticulously. The receiving bank of an authenticated message simply acts on it in good faith unless some clarification is required. That is the arrangement and accepted global practice. 

In practice trust amongst colleagues and ones ethics drives banking. It does exist in good proportion. At times a few unscruplous people do take advantage. However, negligence to observe laid down processess is no excuse. Frauds have ocurred in the past and may occur in future, the impact is a factor of the magnitude of dollar amount, its extensiveness geographically and ofcourse the number of banks. 

'Integrity' is a core principle in information system audit. If data flows through multiple systems, it must must be consistent as it was from the point of origin. The trusted way is through straight through processing or at worst with little human intervention.

Re: sys admins, they will not have transation rights.  Messaging has a maker, checker and an authoriser. The 6 eye princple model. 

Vishwanath Thanalapatti

Vishwanath Thanalapatti



Member since

04 Jan 2018



Blog posts




This post is from a series of posts in the group:

Financial Risk Management

This network brings together professionals involved in the oversight and management of their company's financial risks and exposures as well as solution vendors, in order to discuss risk issues including interest rate risk, foreign exchange risk and commodity price risk, among others.

See all

Now hiring